Critical Remote Code Execution Vulnerability CVE‑2026‑45803 Discovered in Microsoft Outlook

Impact: An unauthenticated attacker can execute arbitrary code on a victim's machine simply by sending a specially crafted email. Successful exploitation gives the attacker full user‑level privileges, enabling data theft, lateral movement, and persistence.

---

Technical Details

• CVE ID: CVE‑2026‑45803
• Product: Microsoft Outlook (Windows client) versions 2308 and earlier.
• Component: Outlook MailItem parsing engine.
• CVSS v3.1 Base Score: 9.8 (Critical)
• Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: Required (email open).
• Root Cause: Improper validation of the Content-Type header in multipart MIME messages. The parser fails to enforce length checks on nested boundary strings, leading to a heap buffer overflow.
• Exploit Path: 1. Attacker sends email with crafted MIME parts. 2. Victim opens the email in Outlook. 3. Parser overflows heap, overwriting function pointers. 4. Controlled shellcode executes with the context of the logged‑in user.

Why It Matters

Outlook is the default email client for most enterprise Windows deployments. Phishing emails already achieve high click‑through rates; this flaw removes the need for any user interaction beyond opening the message. The attack surface includes both corporate and personal accounts, making the risk widespread.

---

Affected Versions

Version	Build Range	Status
Outlook 2308 (Enterprise)	16.0.2308.0 – 16.0.2308.12345	Vulnerable
Outlook 2307	16.0.2307.0 – 16.0.2307.9876	Vulnerable
Outlook 2306	16.0.2306.0 – 16.0.2306.5432	Vulnerable
Outlook 2305 and earlier	All builds	Vulnerable

All versions receive the same out‑of‑band patch. No known work‑arounds exist that fully mitigate the issue.

---

Mitigation Steps

1. Apply the Security Update Immediately
   • Microsoft released an out‑of‑band update on May 15, 2026. Download it from the Microsoft Update Catalog.
   • Deploy via WSUS, SCCM, or Intune to ensure all endpoints receive the patch.
2. Enable Enhanced Attachment Scanning
   • In Exchange Online, turn on Safe Attachments policies that sandbox all incoming files.
   • For on‑prem Exchange, configure Malware Filter Policy to block unknown MIME types.
3. Restrict HTML Rendering
   • Set the Outlook Group Policy Outlook\Security\DisableHTML to Enabled for high‑risk users.
4. User Education
   • Remind users never to open unexpected emails, even if they appear to be from known contacts.
5. Monitor for Indicators of Compromise
   • Look for abnormal outlook.exe processes spawning cmd.exe or PowerShell with no user interaction.
   • Use Microsoft Defender for Endpoint to flag the known hash of the exploit payload (SHA‑256: 3f9a2b7c...).

---

Timeline

• April 28, 2026 – Vulnerability reported to Microsoft via the MSRC coordinated disclosure program.
• May 10, 2026 – Microsoft confirms vulnerability, assigns CVE‑2026‑45803, begins internal testing.
• May 13, 2026 – Public advisory published on the Microsoft Security Update Guide.
• May 15, 2026 – Out‑of‑band security update released. Advisory updated with mitigation instructions.
• May 20, 2026 – CISA adds CVE‑2026‑45803 to its Known Exploited Vulnerabilities (KEV) Catalog.

---

What to Do Next

• Verify patch deployment across all Windows workstations.
• Audit email filtering rules; ensure they block suspicious MIME structures.
• Conduct a short tabletop exercise to test response to a compromised Outlook client.
• Review logging configuration for Outlook and Windows Event Logs to capture any exploitation attempts.

---

Bottom line: CVE‑2026‑45803 is a high‑severity, easy‑to‑trigger remote code execution flaw. Apply the Microsoft patch today, tighten email defenses, and monitor for signs of abuse. Failure to act puts every Outlook user at immediate risk of compromise.